hiQ’s Groundbreaking Injunction Against LinkedIn Reaffirmed: Scraping of Publicly Available Data Likely Does Not Violate CFAA
The U.S. Court of Appeals for the Ninth Circuit has affirmed its prior decision, holding that LinkedIn could not block hiQ, a scraping entity, from scraping public LinkedIn profiles. The court found it was unlikely that hiQ had violated the Computer Fraud and Abuse Act (CFAA), which is commonly understood to be an anti-hacking law. However, this opinion is only limited to publicly available information. Meaning, a scraping company could still be liable under the CFAA if it is scraping information from a website that requires authorization or access permission, such as password authentication.
Additionally, the court noted that data aggregators could bring other, non-CFAA claims, against scraping entities even when those companies are scraping public information, such as breach of contract and copyright infringement claims. Thus, data scraping law is very nuanced and still in its early stages, making the guidance of counsel especially important before starting a data scraping business or cutting off access to data scrapers.
Farella Braun + Martel represented hiQ in obtaining the preliminary injunction and through its first appeal to the Ninth Circuit.
The Court’s Analysis
After the Ninth Circuit affirmed the preliminary injunction in 2019, LinkedIn filed a petition for writ of certiorari with the Supreme Court of the United States. The Supreme Court vacated the decision and remanded the case to the Ninth Circuit for further consideration in light of its decision in Van Buren v. United States, 141 S. Ct. 1648 (2021), a case concerning application of the Computer Fraud and Abuse Act (CFAA) in the criminal context. The Ninth Circuit once again affirmed the underlying hiQ Labs decision, largely mirroring its earlier analysis.
To obtain a preliminary injunction, a plaintiff must show that they are likely to succeed on the merits, likely to suffer irreparable harm in the absence of preliminary relief, the balance of equities tips in their favor, and an injunction is in the public interest.
The Ninth Circuit found credible hiQ’s assertion that the survival of its business is threatened absent an injunction prohibiting LinkedIn from blocking hiQ from scraping publicly available information from LinkedIn’s website. Similarly, the balance of equities tipped “sharply” toward hiQ, given that LinkedIn’s interest in preventing data collection was outweighed by hiQ’s interest in continuing its business. Importantly, the court also determined that there was a strong public interest in preventing companies like LinkedIn from becoming “information monopolies” who could otherwise decide, on any basis, who can collect and use publicly available data.
The remainder of the Ninth Circuit’s decision explored how hiQ raised “serious questions” that supported its likelihood of success on the merits of its intentional interference with contract claim against LinkedIn. With respect to LinkedIn’s “legitimate business purpose” defense to this claim, the Ninth Circuit determined, inter alia, that hiQ’s interest in fulfilling its contracts with the customers of its data analytics products and services is stronger than LinkedIn’s comparatively weak “interest in protecting its members’ data and the investment made in developing its platform” and “enforcing its User Agreements’ prohibitions on automated scraping.”
The court also rejected LinkedIn’s further argument that blocking hiQ from scraping publicly available data was justified because such scraping violated the CFAA, 18 U.S.C. § 1030, which outlaws intentional access to a computer to obtain information “without authorization” from that protected computer (here, the LinkedIn servers would be the “protected computer”). Once again, the court agreed that hiQ had at least raised a “serious question” that its activities did not run afoul of the CFAA because LinkedIn’s information was accessible to the general public, and so data miners like hiQ were not accessing those servers “without authorization.”
The court explained that Congress created the CFAA with “hacking” and “breaking and entering” in mind, contemplating the existence of three kinds of computer system accessibility:
- access is open to the general public and permission is not required,
- authorization is required and has been given, and
- authorization is required but has not been given.
According to the Ninth Circuit, where information like a public LinkedIn profile is “available to anyone with an internet connection,” it falls under the first category, and thus the idea that anybody, including scraper entities, can access this information “without authorization” is “inapt.” The court added that Van Buren’s “gates-up-or-down inquiry”—“one either can or cannot access a computer system, and one either can or cannot access certain areas within the system”—is akin to categories (2) and (3). It held that Van Buren thus reinforces its conclusion “that the concept of ‘without authorization’ does not apply to public websites.”
Large data aggregators should not rely on the CFAA when bringing claims against scrapers of their publicly accessible data, or when defending against claims brought by those scrapers when the aggregators take measures to restrict access to the data. However, while the court closed one gate, it left several others open. In fact, it reminded readers that other causes of action including state law trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy may still apply to such scraping activities. Indeed, plaintiffs in data scraping lawsuits routinely include such claims in their complaints.